Building a security awareness training programme from scratch feels overwhelming. Where do you start? What does good look like? How do you know when you are done?
This checklist covers everything you need to build a world-class security awareness programme — whether you are starting from zero or auditing an existing programme. It is structured as a 30-day implementation plan, but the phases can be extended based on your organisation's size and resources.
Download it, share it with your HR and security team, and use it as your programme audit tool every six months.
Phase 1 — Foundation (Week 1)
Organisational Readiness
☐ Identify your security awareness programme owner (CISO, IT Manager, or HR)
☐ Get explicit executive sponsorship — security culture requires top-down commitment
☐ Define your employee base — total headcount, departments, locations, remote vs office
☐ Identify high-risk roles: finance team, executives, IT administrators, customer support
☐ Confirm your compliance requirements: DPDPA, ISO 27001, GDPR, HIPAA, PCI DSS, SOC 2
Baseline Assessment
☐ Run a baseline phishing simulation to establish current susceptibility rate
☐ Survey employees on their confidence in identifying security threats
☐ Review past incidents — what caused them? What were the human factors?
☐ Audit existing security policies — are they current, accessible, and understood?
☐ Check current training records — what exists, when was it done, who completed it?
Phase 2 — Policy Framework (Week 2)
Core Policies (Must Have)
☐ Information Security Policy — the master policy covering overall security posture
☐ Acceptable Use Policy — what employees can and cannot do with company devices and data
☐ Password and Access Management Policy — password requirements, MFA, shared account rules
☐ Data Classification Policy — what is confidential, internal, or public data
☐ Incident Reporting Policy — how employees report suspected security incidents
☐ Clean Desk and Clear Screen Policy — physical security at workstations
☐ Remote Work Security Policy — VPN requirements, home network rules, public Wi-Fi
Policy Distribution
☐ Policies are accessible to all employees (intranet, document management system)
☐ Employees are required to read and acknowledge each policy — with a signed record
☐ Policy acknowledgements are stored with timestamp and user ID (for audit evidence)
☐ New joiner onboarding includes mandatory policy review in first week
☐ Policies are reviewed and updated at least annually
Phase 3 — Training Content (Week 2-3)
Core Training Modules (Mandatory for All Employees)
☐ Phishing and social engineering recognition
☐ Password security and multi-factor authentication
☐ Safe internet and email usage
☐ Data handling and classification
☐ Incident reporting — what to report, how to report, when to report
☐ Physical security and clean desk
☐ Remote and mobile working security
☐ Compliance-specific training (DPDPA / GDPR / HIPAA / PCI DSS as applicable)
Role-Based Training (Additional Modules by Role)
☐ Executives: CEO fraud, BEC, board-level threat landscape
☐ Finance team: Invoice fraud, wire transfer scams, payment authorisation procedures
☐ IT and developers: Secure coding, privileged access management, patch management
☐ HR: Candidate data handling, offboarding procedures, insider threat indicators
☐ Customer support: Social engineering by callers, data verification before disclosure
Training Format and Delivery
☐ Modules are under 15 minutes each — longer modules see dramatically lower completion
☐ Videos with scenario-based examples (not just slides with text)
☐ Post-module quiz with minimum passing score (recommended: 60%)
☐ Certificate generated automatically upon completion
☐ Training is accessible on mobile devices
☐ Training is available in regional languages where needed (Hindi, Tamil, etc.)
Phase 4 — Phishing Simulation (Week 3)
☐ Schedule monthly simulated phishing campaigns — different templates each month
☐ Vary attack types: credential phishing, malicious attachments, QR code phishing
☐ Use real-world templates relevant to Indian context (IT support, bank alerts, GSTIN notices)
☐ Measure click rate, credential submission rate, and report rate per department
☐ Employees who click are automatically enrolled in targeted remedial training
☐ Results are reviewed with department heads monthly
☐ Never use phishing simulation results punitively — the goal is learning, not punishment
Phase 5 — Compliance and Audit Readiness (Week 4)
Documentation Your Auditor Will Ask For
☐ Training completion records — per employee, per module, with dates
☐ Certificates of completion — individually verifiable
☐ Policy acknowledgement records — signed, dated, timestamped
☐ Phishing simulation results — showing trend of improvement over time
☐ Incident reports — how many security incidents were reported by employees?
☐ Training calendar — scheduled training dates for the year
Compliance Mapping
☐ ISO 27001 Annex A Control 6.3 — security awareness covered ✓
☐ DPDPA 2023 — employee training on data handling obligations ✓
☐ GDPR Article 39 — data protection awareness covered ✓
☐ HIPAA §164.308(a)(5) — security awareness training ✓
☐ PCI DSS Requirement 12.6 — security awareness programme ✓
☐ SOC 2 CC1.4 / CC2.2 — security communication and training ✓
Phase 6 — Measurement and Continuous Improvement
Metrics to Track Monthly
☐ Training completion rate (target: >95%)
☐ Phishing simulation click rate (target: <5% within 12 months)
☐ Phishing report rate — employees who reported the simulation as suspicious
☐ Quiz pass rate per module — identifies knowledge gaps
☐ Number of real security incidents reported by employees
Quarterly Review
☐ Review completion rates by department — identify teams needing extra engagement
☐ Update training content for new threats (new phishing techniques, new regulations)
☐ Review phishing simulation templates — use current events and trending attack vectors
☐ Brief executive team on programme metrics and improvement trends
Annual Review
☐ Full programme audit against this checklist
☐ Update all policies to reflect current threat landscape and regulatory changes
☐ Benchmark against industry peers
☐ Set targets for the following year
The 5 Most Common Mistakes to Avoid
1. Training once a year and calling it done. Employees forget 90% of content within 30 days. Annual training produces a compliance tick, not security behaviour.
2. Making training too long. Modules over 30 minutes see dramatic drop-off. Short, frequent, focused training outperforms long annual sessions by every measure.
3. No simulated phishing. Training without testing is like fire drills without fire alarms. You need to measure whether the training is working.
4. Treating it as an IT project. Security awareness is a culture and behaviour change initiative. It requires HR, leadership, and communications involvement — not just IT.
5. No executive participation. If leadership is exempt from training, employees notice. The fastest way to signal that security is important is for the CEO to complete the training first.
Tools to Help You Execute This Checklist
You do not need a large budget to implement this programme. CyberSek's platform automates the operational elements:
22 AI-powered training modules covering every item above
Automatic assignment and reminder emails to employees
Quiz completion and certificate generation — automatic
Policy acknowledgement management with audit trail
Real-time completion dashboard for admins
Audit-ready compliance reports in one click
The checklist above is free. The automation to execute it is available from ₹125 per employee per month.
Written by Namita Kumari | Security Awareness Specialist at CyberSek
Use CyberSek to implement every item on this checklist — without the manual overhead. Start your free 7-day trial.